SecureLink Chief Research Officer Eward Driehuis Takes Us Through The Top Threats In August 2018

August. It’s that time of the year when a big chunk of the InfoSec scene goes to Las Vegas, and academics mention “they can finally get some work done”. As this month’s events are so diverse, it’s difficult to quantify them. Comparing apples to oranges is an issue in every top threat rundown. That said, here’s a roundup of interesting events.

1. US Democrats warn about Chinese devices

The DNC’s CISO, Bob Lord, warns about using specifically Huawei and ZTE devices. The DNC, of course, is no stranger to finding nation states in their infrastructures. And the Chinese have a bit of a reputation when it comes to espionage. For example, 11 out of around 20 known APT groups (numbered between 1 and 38), are Chinese. There is no background information as to why ZTE and Huawei might be riskier to use than other Chinese devices. The warning is not issued by the government, and it’s not echoed across other countries. One can only think: if Huawei devices are compromised, what about their immense infrastructure install base? Many of the largest telephone companies, including those in Europe, run their back-ends on Huawei switches. Imagine if we found proof of Bob Lord’s assertion… That would be big.

2. Epic’s Fortnite Android installer & fallout

Epic CEO Tim Sweeney decided their upcoming Android version is bypassing the Play Store. There are a few interesting issues with that. First of all, Fornite is one of the most popular games ever. Although it has a 12+ age recommendation, I dare anyone with younger kids to ask them how they like Fortnite. By providing it as an APK, Epic will not pay 30% Play Store tax which they say is disproportionate. They are gambling with kids’ behavior though. For every install or update they need to “allow untrusted sources” Which means, at a young age, kids will learn in order to get to the goodness, sometimes you need to behave insecurely.

We suspect there’s going to be a big discussion about the Play Store tax, but we hope we’re not wagering youngsters’ online behavior.

The argument between Epic and Google became heated when Google found that Fortnite was vulnerable to a new type of attack, called “man-in-the-disk”. Sweeney said the disclosure was done in “retaliation” to the news that Epic is bypassing the Play store. Man-in-the-disk is something to remember though. It affects Android devices with extra (MicroSD) storage. Apps stored on MicroSD evade sandboxing, introducing all kinds of risk.

3. Faxploit

The people at Check Point have done some research we really like. It includes side channels, crafted faxes and misused ancient protocols. By sending a specially crafted fax to a fax number, attackers could then take over from the network connected side of the device, using it as a stepping stone to penetrate the network further. All-in-one devices are especially vulnerable. Industries with a large amount of good old paperwork, like legal and logistics, should really consider unplugging their fax machines, or move them to a well segmented place in the network, so that in a worst-case scenario, attackers can’t get to the shiny valuable data.

4. Dark Tequila

Dark Tequila has been around for five years, and it’s now uncovered by GReAT. The campaign uses sophisticated, modular malware. It steals banking information and login credentials for a big set of popular cloud services, including Amazon, Dropbox and Microsoft Office 365. Targets are reported to have been infected either via spear-phishing or contaminated USB devices. The malware triggers based on certain criteria like geolocation; for example, it avoids infecting non-Mexican users or computers that either have AntiVirus software installed or appear to belong to malware analysts; these characteristics are likely to be the main reason for the malware managing to stay undetected for so long. Although sophisticated modular malware is not new, it is quite novel in that region.